Magazine

The FTC Takes on the Spam Dispensers

David Vladeck is fighting Twitter, Facebook, and other Web titans to hunt spammers, spyware, and identity thieves

If you think you get too much spam, try visiting the second floor of the Federal Trade Commission building in Washington. That's where a computer server holds the world's largest collection of spam e-mail—314 million messages, with 200,000 more arriving every day. The machine sits in the agency's Internet lab, a bunker crammed with electronic devices that help investigators hunt down spammers, spyware makers, and identity thieves.

Set up by Woodrow Wilson in 1914 as an antitrust watchdog, the FTC has steadily expanded its mandate to shield consumers from fraud and other deceptive business practices. Today it oversees everything from funeral homes to a national do-not-call registry for telemarketers. While antitrust and financial scams still top its agenda, the agency has taken fraud fighting digital over the past decade. It shut down spyware rings and outfits like 3FN, a Belize operation responsible for half of global spam until last year. "We're worried about fraudsters who can use the anonymity of technology...to steal money or to cheat people in ways that are hard to detect," says David Vladeck, head of the FTC Bureau of Consumer Protection.

One year into his job as the nation's top scam-buster, Vladeck is targeting threats to users of social networks and mobile devices. He has convened roundtables with Silicon Valley executives, and in June he completed work on a mobile forensics lab where staff attorneys and investigators sniff out problematic apps and Web sites using handheld devices.

Privacy advocates say an Internet cop like the FTC is needed as new techologies present scammers with ever more opportunities. In June, an intruder hacked into AT&T's (T) website, exposing e-mail addresses of 114,000 iPad owners. In May, Google (GOOG) said it had inadvertently collected data from wireless Internet users while it took photos for its Street View mapping feature. "A lot of the threats that you have to defend consumers against are technical—on the Web, on mobile devices, on new kinds of gadgets that people aren't using yet," says Peter Eckersley of the nonprofit Electronic Frontier Foundation in Washington.

The past year has served as a tech crash course for the 59-year-old Vladeck, a former law professor at Georgetown University. "I felt I was in over my head because I'm essentially a Luddite," he says. He has no Facebook or Twitter account, and the job forced him to use a BlackBerry (RIMM) for the first time. For tech advice, he has had to lean on resident experts such as former privacy blogger Christopher Soghoian and the twentysomethings on the agency's staff. "Having people with technological savvy is really crucial," Vladeck says.

Although the FTC declined to discuss pending investigations, it has hinted that it's looking into data security incidents at major Web services. Google's Wi-Fi flap provoked a response from Vladeck's boss, FTC Chairman Jon Leibowitz, who said the agency would take a "close look" at the matter. After Facebook in April changed its privacy policy in a way that troubled some users, four U.S. senators filed a complaint with the FTC.

On June 24, the agency announced a settlement with Twitter, concluding an investigation into a breach of user account information in 2008. Vladeck says Twitter failed to do enough to secure its site, allowing a hacker with a password-guessing program to commandeer customer accounts. The settlement subjects Twitter to independent security audits for 10 years. "We want to signal to industry that this kind of lack of control is not tolerable," says Vladeck. It was the agency's 28th data security case and the first to involve a social networking site.

The FTC's mandate allows it to take action against companies it considers unfair or deceptive; it cannot, however, set industry rules. The agency is creating "regulatory requirements without actually passing any regulation," says Paul Bond, an attorney who specializes in data privacy at Pittsburgh-based law firm Reed Smith. "It is a lesson to every company not to overpromise with respect to privacy."

The bottom line: After a decade of fighting spam and online fraud, the FTC is turning to social networks and scams targeting mobile devices.